SVG Formatter - Critical - Cross Site Scripting - SA-CONTRIB-2018-027

Project: SVG Formatter
Date: 2018-May-09
Security risk: *Critical* 15∕25
Vulnerability: Cross Site Scripting

Description

This module adds a new formatter for the file fields, which allows any file
extension to be uploaded.
The module doesn't sufficiently handle sanitization under the scenario
uploaded SVG files.
This vulnerability is mitigated by the fact that an attacker must have a role
with the permission create or edit on certain content types that allows SVG
files to be uploaded.

Solution

Install the latest version:

* If you use the SVG Formatter module for Drupal 8.x, upgrade to SVG Formatter 8.x-1.06

Also see the SVG Formatter project page.

Add new comment